Some information security professionals and attorneys advise their clients to conduct social engineering tests on their workforce to see how many will click on a link in an email or website without taking a moment to consider if the link is secure.
Two years ago, health security veteran Tom Walsh wasn’t one of them. Tricking employees, faking them out and making them feel foolish wasn’t the way to educate them on security, but was a good way to lose their trust, believed the president of tw-Security in Overland Park, Kan. Further, when employees’ superiors actually sent legitimate email, would they be opened by employees now spooked?
In the age of sophisticated hacking for profit or economic gain, often by nation-sponsored enterprises, Walsh has changed his mind about the negatives outweighing the positives of social engineering. “Now, it’s getting down to where we have to do this,” he told Health Data Management during a talk about the latest major healthcare hack suffered by Blues plan CareFirst.
[
A social engineering program has to be fair but with some teeth, Walsh says. It has to start with strong executive commitment, comprehensive education and coaching, and the setting of sanctions. Once the program starts, sanctions would kick in after an employee made a mistake for the third time.
However, more should also be expected of senior executives, who for too long have left the gates open to domestic and international hackers, Walsh contends. Many employees—and leaders—check their personal email at work on a corporate computer and that makes the corporate network vulnerable.
A gaping hole still open in many organizations is sending emails and other outbound network traffic overseas as international traffic is not being blocked, Walsh says. Leaders need to start asking their charges why they need to communicate with Estonia, or China for that matter. There may be legitimate reasons as business associates often are based overseas. But a good first step, he advises, would be to block all international access to start, and then add exceptions as a business need for access is demonstrated.
